Data breach response: what happens in the first 72 hours

The UK GDPR imposes mandatory breach notification obligations. Article 33 requires controllers to notify the ICO of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms. Where the breach is likely to result in a high risk, Article 34 requires the controller to communicate the breach to affected individuals without undue delay. Processors must notify their controllers without undue delay under Article 33(2). Failure to comply with the notification obligations may itself result in enforcement action by the ICO, including fines under Article 83.

A single cyber-security incident at a UK telecoms provider can trigger notification obligations to the ICO under the UK GDPR and PECR, to Ofcom under the Telecommunications (Security) Act 2021, and potentially under the Network and Information Systems Regulations 2018. An incident at a payment institution may require notification to the ICO under the UK GDPR, to the FCA under the Payment Services Regulations 2017 and SUP 15.3, and from March 2027 under the new FCA operational incident reporting regime. Each regime has different thresholds, timelines and information requirements. Bratby Law’s practice spans all three regulatory pillars, providing a single point of specialist advice across the full notification matrix.

Containment and privileged forensic investigation

The two critical first steps in any data breach are containment and privileged investigation. Containment means stopping any ongoing unauthorised access, isolating compromised systems and preventing further data loss. The privileged investigation, instructed by lawyers, establishes what data has been compromised, how the breach occurred and who is affected. This sequencing matters: the 72-hour notification clock under Article 33 of the UK GDPR does not start until the controller becomes aware of the breach with a reasonable degree of certainty. A properly structured, privilege-protected forensic investigation determines what has actually happened before the notification obligation crystallises.

Legal professional privilege attaches to the forensic investigation when it is instructed by lawyers for the dominant purpose of obtaining legal advice or in contemplation of regulatory proceedings. This means the forensic report, the investigator’s working papers and the communications between the investigator and the legal team are protected from disclosure to regulators, to claimants and in subsequent litigation. Without privilege protection, the forensic findings are discoverable and may be used against the organisation in enforcement proceedings or group claims. We instruct and manage the forensic IT investigators under privilege, ensuring that the investigation is structured to maintain protection from the outset.

The practical effect is significant. A privileged forensic report allows the organisation to understand the full picture before making notifications, to take legal advice on the findings without waiving privilege, and to present a considered, accurate notification to the relevant regulator rather than a series of speculative updates.

UK GDPR and PECR notification

The core notification obligation arises under Article 33 of the UK GDPR and Section 67 of the Data Protection Act 2018. The controller must notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Where the breach is likely to result in a high risk, the controller must also notify the affected data subjects without undue delay under Article 34.

Telecoms providers face a stricter obligation under the Privacy and Electronic Communications Regulations 2003 (PECR). Regulation 5A requires providers of public electronic communications services to notify the ICO of personal data breaches within 24 hours of detection. This is tighter than the UK GDPR 72-hour deadline. A telecoms provider must comply with the stricter PECR timeline while simultaneously meeting its UK GDPR obligations. Our PECR and ePrivacy page covers the full range of PECR obligations for communications providers.

The ICO can impose fines of up to 17.5 million pounds or 4% of global annual turnover for UK GDPR infringements, including failures to notify breaches, inadequate security measures and failures to maintain breach records. The ICO’s approach to enforcement considers the controller’s conduct before, during and after the breach. Cooperation, prompt containment, transparent communication with data subjects and evidence of prior investment in security are mitigating factors. Delayed detection, inadequate incident response plans and obstruction are aggravating factors.

Telecoms security incident reporting under the TSA 2021

The Telecommunications (Security) Act 2021 (TSA) introduced a distinct incident reporting obligation for providers of public electronic communications networks and services. Section 105K of the Communications Act 2003 (as inserted by the TSA) requires providers to notify Ofcom as soon as reasonably practicable of any security compromise that has a significant effect on the operation of the network or service, or that allows positioning for further significant compromises. This covers cyber-attacks, ransomware, network intrusions and “pre-positioning” attacks where an adversary gains access without immediately exploiting it.

The TSA reporting obligation is separate from the UK GDPR and PECR obligations. It addresses the security and resilience of the network itself, not just the personal data it carries. The Electronic Communications (Security Measures) Regulations 2022 and Ofcom’s Telecommunications Security Code of Practice set out the detailed security standards that providers must meet. Ofcom can impose penalties of up to 10% of turnover or 100,000 pounds per day for contraventions of security duties. Our Telecoms Security page covers the TSA framework in detail, including the tiering system and Ofcom’s compliance and enforcement approach.

In practice, a single cyber-security incident at a telecoms provider may trigger three parallel notification obligations: to the ICO under PECR (24 hours) and the UK GDPR (72 hours) for any personal data breach, and to Ofcom under the TSA for any significant network security compromise. Each notification has different content requirements, different thresholds and different regulatory consequences. Coordinating these notifications is a core part of the crisis management process.

NIS Regulations and the Cyber Security and Resilience Bill

The Network and Information Systems Regulations 2018 (NIS Regulations) impose incident reporting obligations on operators of essential services (OES) and relevant digital service providers (RDSPs). OES include organisations in the energy, transport, water, health and digital infrastructure sectors. RDSPs include online marketplaces, search engines and cloud computing services. Incident reporting is required within 72 hours to the designated competent authority for the sector. For digital service providers, the ICO is the competent authority.

The interaction between the NIS Regulations and the TSA for telecoms providers is not straightforward. Telecoms providers that are designated as operators of essential services may be subject to both regimes, with TSA as the primary framework for network security and NIS for broader service resilience. Guidance on the overlap is limited; in practice, providers should assume dual compliance and coordinate notifications across both regimes.

The UK government introduced the Cyber Security and Resilience Bill in November 2025, which is expected to receive Royal Assent in late 2026 with full implementation likely in 2028. The Bill will substantially amend the NIS Regulations, introducing mandatory initial reporting within 24 hours and a full report within 72 hours, a broader sectoral scope and significantly higher penalties of up to 17 million pounds or 4% of global turnover. While the Bill is not yet in force, organisations should begin planning for the stricter requirements.

FCA incident reporting for payment and financial services firms

Payment institutions, electronic money institutions and other FCA-authorised firms face their own incident notification obligations. Under Regulation 99 of the Payment Services Regulations 2017, payment service providers must report major operational or security incidents to the FCA without undue delay. Under the FCA Handbook (SUP 15.3), all authorised firms must notify the FCA of matters that the FCA would reasonably expect to be informed of, including material operational incidents.

The FCA’s operational incident reporting framework is changing. In March 2026, the FCA published PS26/2, introducing a standardised operational incident and third-party reporting regime effective from 18 March 2027. From that date, all firms with Part 4A permissions, payment service providers, investment exchanges and trade repositories must submit an initial incident report within 24 hours of determining that the incident meets the notification threshold. The threshold is met where an incident causes or may cause actual or potential risk of consumer harm, risk to the safety or soundness of the firm, or risk to market integrity or the stability of the UK financial system.

The FCA’s operational resilience framework under SYSC 15A (implementing PS21/3) requires firms to identify their important business services, set impact tolerances and test their ability to remain within those tolerances during severe but plausible scenarios. A cyber incident that disrupts an important business service engages these requirements and may trigger additional regulatory scrutiny. The Critical Third Parties regime under the Financial Services and Markets Act 2023 imposes further incident reporting obligations on designated critical third-party providers to the UK financial sector.

DORA, the EU’s Digital Operational Resilience Act, does not apply directly in the UK. However, UK firms serving EU clients or acting as ICT third-party providers to EU financial institutions may face DORA obligations in respect of their EU-facing activities. Our Operational Resilience and DORA page covers the UK and EU operational resilience frameworks in detail.

Crisis management and the breach response team

A data breach response is not a legal exercise conducted in isolation. It requires coordinated action across the organisation. We work as part of a crisis management team that typically includes IT and information security (containment and forensic investigation), communications and PR (media handling and data subject notifications), senior management and the board (strategic decisions, risk appetite, disclosure), insurance brokers and insurers (policy notification and claims management), and external forensic IT investigators (instructed under privilege by the legal team).

During the acute phase of a breach, we participate in daily calls with the crisis team, providing real-time legal advice on the evolving situation. The daily call structure ensures that the legal, technical and commercial workstreams remain aligned, that decisions are documented and that notification deadlines are tracked across all applicable regimes. We prepare board-level briefing notes, draft holding statements for communications teams and review public-facing notifications before issue. For a material breach, daily crisis calls typically continue for two to four weeks.

Insurance notification

Cyber insurance and professional indemnity policies typically require notification of a breach or potential claim within a specified period, often as soon as the insured becomes aware of circumstances that may give rise to a claim. Late notification to insurers can prejudice coverage. We advise on the timing and content of insurance notifications in parallel with regulatory notifications, ensuring that the policy requirements are met without inadvertently waiving privilege or making admissions that affect the coverage position. Where the policy provides for panel counsel or approved forensic investigators, we coordinate with the insurer’s panel to avoid duplication and ensure that privilege is maintained across all workstreams.

Multi-jurisdictional notification

Notification obligations are not limited to the UK. A breach affecting individuals in multiple jurisdictions triggers notification requirements in each relevant jurisdiction. EU Member States require notification to the lead supervisory authority under the EU GDPR. The US imposes state-level breach notification obligations, with different thresholds, timelines and content requirements across all 50 states. Other jurisdictions including Australia, Singapore, Canada and Brazil have their own mandatory notification regimes. An international breach requires a coordinated, multi-jurisdictional notification strategy, not a series of separate national exercises. We advise on the full matrix of notification obligations and manage the timetable to ensure each deadline is met.

Notification obligations at a glance

The following table summarises the principal UK notification obligations that may be triggered by a cyber-security incident. Most organisations are subject to more than one regime. The table is not exhaustive; sector-specific requirements may impose additional obligations.

Regime	Legislation	Regulator	Deadline	Applies to
UK GDPR breach notification	UK GDPR Article 33; DPA 2018 s.67	ICO	72 hours	All data controllers
PECR breach notification	PECR Regulation 5A	ICO	24 hours	Telecoms providers, ISPs
TSA security incident reporting	Communications Act 2003, s.105K	Ofcom	As soon as reasonably practicable	Public ECN/ECS providers
NIS incident reporting	NIS Regulations 2018, Regs 20-24	Sector competent authority	72 hours	Operators of essential services; RDSPs
PSRs major incident reporting	PSRs 2017, Reg 99	FCA	Without undue delay	Payment service providers
FCA operational incident reporting (from March 2027)	PS26/2; SYSC 15A	FCA	24 hours	All Part 4A firms, PSPs
Critical Third Party incidents	FSMA 2023, s.138B; SS6/24	FCA/PRA/BoE	Per PS26/2	Designated CTPs

How Bratby Law helps with data breach response

We act as part of the data breach crisis team from initial detection through to resolution, across all applicable regulatory regimes:

• Immediate containment advice: legal guidance on stopping the breach, preserving evidence and protecting the organisation’s position from the first call
• Privileged forensic investigation: instructing and managing forensic IT investigators under legal privilege, ensuring that the investigation findings are protected from disclosure to regulators, claimants and in litigation
• Crisis team coordination: participating in daily crisis calls with IT, communications, senior management and insurers, providing real-time legal advice throughout the acute phase
• Multi-regime notification management: coordinating concurrent notifications to the ICO (UK GDPR, PECR), Ofcom (TSA), the FCA (PSRs, SUP 15.3, PS26/2), the PSR and other regulators, each with different thresholds and timelines
• Multi-jurisdictional notification: advising on concurrent notification obligations in the UK, EU, US and other jurisdictions, managing the timetable across different regimes
• Data subject communication: drafting Article 34 notifications to affected individuals, assessing whether exemptions from individual notification apply
• Insurance notifications: advising on the timing and content of notifications to cyber insurers and professional indemnity insurers, coordinating with panel counsel where required
• Regulatory liaison: managing communications with the ICO, Ofcom, the FCA and sector regulators during and after investigations, responding to information notices and enforcement proceedings
• Post-incident remediation: advising on remedial measures, updating incident response plans, reviewing security obligations under the TSA and NIS Regulations, and preparing for potential group claims

Frequently asked questions about data breach response

When does the 72-hour notification deadline start?

The 72-hour clock under the UK GDPR starts when the controller becomes aware of the breach with a reasonable degree of certainty. In practice, this means the point at which the privileged forensic investigation has established that personal data has been compromised. The clock does not start at the first sign of a security incident. However, organisations cannot extend the deadline by failing to investigate promptly. The ICO expects controllers to have detection and investigation procedures in place.

Why should the forensic investigation be instructed by lawyers?

Legal professional privilege protects the forensic report and working papers from disclosure to regulators, to claimants in group litigation and in subsequent regulatory proceedings. If the investigation is instructed directly by the IT team or by management, privilege does not attach and the findings are discoverable. Structuring the investigation under privilege from the outset is a critical early decision that cannot be retrospectively corrected.

How many regulators might I need to notify?

It depends on what you do. A telecoms provider may need to notify the ICO (under both PECR and the UK GDPR) and Ofcom (under the TSA). A payment institution may need to notify the ICO (UK GDPR) and the FCA (PSRs Regulation 99 and SUP 15.3). A dual-regulated telecoms and payments business could face notifications to all three. Each regime has different thresholds, deadlines and content requirements. A coordinated notification strategy is essential.

Do I need to notify regulators outside the UK?

If the breach affects individuals in other jurisdictions, you may have notification obligations in each. EU Member States require notification under the EU GDPR. US states have individual breach notification statutes with varying thresholds and deadlines. Other countries including Australia, Singapore, Canada and Brazil have mandatory notification regimes. A multi-jurisdictional breach requires a coordinated notification strategy covering all relevant regulators simultaneously.

What should I tell my insurer?

Notify your cyber insurer and professional indemnity insurer as soon as you become aware of circumstances that may give rise to a claim. Late notification can prejudice coverage. The notification should describe the incident factually without making admissions. If your policy specifies panel counsel or approved forensic investigators, coordinate with the insurer early to avoid duplication of effort and cost.

What is changing in FCA incident reporting?

The FCA published PS26/2 in March 2026, introducing a new standardised operational incident reporting regime effective from 18 March 2027. From that date, firms must submit an initial report within 24 hours of determining that an incident meets the notification threshold. This replaces the current less structured reporting under SUP 15.3 and brings payment service provider reporting (PSRs Regulation 99) within a single framework. Firms should begin preparing for the new requirements now.

How long do daily crisis calls typically last?

For a material breach, daily crisis calls with the full response team typically run for two to four weeks during the acute phase. Each call reviews forensic investigation progress, notification deadlines across all applicable regimes, communications strategy and any further issues. As the situation stabilises, calls reduce to weekly and then as-needed. The structure ensures that legal, technical and commercial decisions remain aligned throughout the response.

Representative experience

Recent and representative matters include:

• Managed the breach response and ICO notification for a telecoms operator following a cyber-attack that compromised customer account data, coordinating technical forensics, legal assessment and regulatory engagement within the 72-hour notification window.
• Advised a financial services firm on its Article 33 notification obligation after a third-party processor suffered a ransomware incident affecting client personal data, including the assessment of risk to individuals and the scope of the Article 34 communication duty.
• Prepared and submitted ICO breach notifications for a technology company following the inadvertent disclosure of employee personal data, securing closure without enforcement action.
• Designed a data breach response framework for a multinational, including escalation procedures, template ICO notifications, individual communications, and regulator engagement protocols across UK and EU jurisdictions.
• Advised on the interaction between the UK GDPR breach notification requirements and Ofcom’s security incident reporting obligations under the Telecommunications (Security) Act 2021 for a dual-regulated operator.

Related data protection pages

See also our other data protection pages:

• Data Protection
• UK GDPR and Regulatory Compliance
• AI and Automated Decision-Making
• Sector-Specific Data Protection
• Data Governance, Transfers and Accountability
• PECR and ePrivacy
• Data Protection Impact Assessments
• UK/EU Data Protection Divergence

See also our related telecoms and payments regulation pages:

• Telecoms Security (TSA 2021, Ofcom security duties)
• Operational Resilience and DORA (FCA operational resilience, PS26/2)
• Complaints and Investigations (Ofcom enforcement)